cbcvebase.
CVE-2014-5446
published 2014-12-04

CVE-2014-5446: Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers…

PriorityP349medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
54.72%
98.9th percentile
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

Affected

14 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_it360
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer
zohocorpmanageengine_netflow_analyzer

Detection & IOCsextracted from sources · hover to see the quote

url/netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini
path/netflow/servlet/DisplayChartPDF
  • Monitor HTTP GET requests to the DisplayChartPDF servlet containing directory traversal sequences ('..') in the 'filename' parameter
  • CVE-2014-5446 exploitation via DisplayChartPDF is unauthenticated in NetFlow Analyzer and authenticated in IT360 — alert on traversal attempts from unauthenticated sessions against this endpoint
  • Exploitation works on both Windows and Linux targets; watch for traversal payloads targeting OS-specific sensitive files (e.g., boot.ini on Windows, /etc/passwd on Linux) in the filename parameter
  • ·Affected versions are NetFlow Analyzer v8.6 through v10.2 and IT360 v10.3 and above; no patch was available at time of disclosure (0-day release after 105 days of no vendor action)
  • ·The vulnerability was disclosed as a 0-day with no fix available; verify current patch status before assuming remediation
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.